Control: reassign -1 apparmor Control: tag -1 + moreinfo Hi,
Stefan Baur (2020-06-09): > As stated in the subject: The tor service won't start when apparmor is > active and the root filesystem is stored on an overlayfs. Right, AppArmor does not play well with overlayfs out of the box. Making that combination work requires lots of customization, that's specific to the exact filesystem mount stack layout. Due to that limitation, apparmor.service is supposed to *not* start in the context of a Debian Live system. Quoting apparmor.service: # Don't start this unit on the Debian Live CD when using overlayfs ConditionPathExists=!/run/live/overlay/work So, I have a question: > 4. run the following commands: > apt update > apt install apparmor -y > service apparmor start Did the apparmor service start before you started it manually? I suppose it did not start, hence the need to start it manually, right? > I believe tails (The Amnesic Incognito Live System) uses tor and > apparmor for their live cd, which, as far as I know, is Debian-based as > well, so it would be interesting to see how they solved this issue. > Maybe intrigeri (https://people.debian.org/~intrigeri / intrigeri at > debian dot org) can provide some insight? Sure. Tails' customization that makes it work with overlayfs lives in files that should be linked from: https://tails.boum.org/contribute/design/application_isolation/ > As apparmor is causing the issue, but the corresponding "system_tor" > config file is part of the tor package, I figured I should file this > against the tor package. Feel free to reassign the bug to the apparmor > package if bugs about broken/incomplete apparmor profiles should be > filed against that one. I'm reassigning to apparmor: if apparmor.service starts automatically in a Debian Live environment, that's a bug in that service. Cheers!
